When the European Court of Justice (ECJ) invalidated Safe Harbour on 6 October 2015, the decision plunged thousands of companies into operational uncertainty.
For the last 15 years, organisations had relied on the privacy pact to serve as the foundation for cross-Atlantic data transfers. It allowed firms to self-certify compliance with privacy principles for protecting personal and other sensitive data.
With the agreement quashed, a number of bulky work-arounds have emerged to serve as interim band-aids while Brussels and DC try to complete the tedious process of renegotiating Safe Harbour with each other and the 28 data protection authorities (DPAs) in the EU.
The first legal band-aid that the ECJ makes available is user consent. This is the notion that companies can transfer data offshore once they’ve secured customer consent to the process.
The problem is that in a number of countries, such as Germany and Spain, individuals can’t waive privacy rights that are considered a fundamental human right.
Also, employees are not understood to have the right to give such content. Though it sounds snappy, user consent doesn’t work.
Another partial solution is that of Binding Corporate Rules (BCRs), which can help companies cope with jurisdictional issues inside the EU. But this approach has limited popularity because it is immensely expensive.
Only the largest of companies have the resources to hire a fleet of on-site lawyers who would then be responsible for carrying out the BCRs. And even if the legal resources are available, companies would still need to solve the technology side problem of demonstrating they are taking adequate security measures.
Cloud vendors including Google, Salesforce and Microsoft have rushed to offer customers amended contracts with Model Clauses. But there is increasing evidence that this approach will not be acceptable to many of the EU DPAs.
Initial statements from a number of DPAs highlight just how fractured and subjective European data protection has become.
The Austrian DPA initially stated that it would accept EC Model Clauses as basis for transfers of personal data to the US. Subsequently it clarified that the DPA would still have to approve specific transfers based on Model Clauses.
Authorities in Spain have opposed the idea that EU Model Clauses could be used as the sole basis for exporting data to the US.
One of 17 German regional DPAs (Schleswig-Holstein) announced its view that because of the ECJ decision, data transfers based on the EU Model Clauses are no longer permitted.
The UK ICO issued a statement that businesses will need to review how data is transferred to the US but recognised that it “will take them some time for them to do this”.
Safe Harbour 2.0 to the rescue?
As none of the interim band-aids fully solve the legal dilemma, it’s small wonder that many companies are looking for a new version of Safe Harbour to come to the rescue.
The problem is, we may not see a new agreement for quite some time. This is because there can be no new accord unless the European Commission, the US and the 28 independent DPAs agree on the details.
The politics are contentious. Many of the DPAs never liked Safe Harbour in the first place and they have been newly empowered by the ECJ suspension ruling, which also contained a provision that the Commission cannot override national laws.
As is, at least one DPA has reluctantly agreed to Model Clauses but with a caveat that they reserve the right to sue if they find what they view as a privacy breach. Even if a new Safe Harbour agreement is reached, it is not likely to grant the sweeping immunity that US companies enjoyed with Safe Harbour 1.0.
So what’s a multi-national business to do? The first choice is to stop using the cloud or transferring data across the Atlantic. That might make the DPAs happy, but it’s unlikely to be practical, sustainable or make business sense.
The second choice is to ignore the issue, wait for the dust to settle and hope a new blanket Safe Harbour replacement is agreed upon. That may take a while, and privacy advocates like Max Schrem now have the green light to challenge other data transfers accords in any EU court.
The third choice is to take proactive steps to reduce exposure by anonymising sensitive personal data before it leaves a country. Many enterprises have taken this approach using a cloud access security broker (CASB) to encrypt or tokenise sensitive data.
This is the only current option that will enable businesses to continue sharing data across regional boundaries while assuring privacy compliance.
Sourced from Willy Leichter, global director of cloud security, CipherCloud